This work addresses key limitations in existing RISC-V fuzzing approaches, which often produce redundant test cases, struggle to cover cross-processor boundary scenarios, and rely on inefficient coverage feedback. To overcome these challenges, the authors propose a coverage-guidance-free fuzzing method that constructs a high-quality seed corpus from historical vulnerability-inducing inputs and employs instruction similarity metrics to perform block-level semantic-preserving mutations. This strategy efficiently explores the processor input space while preserving control-flow structures. Evaluated on Rocket, BOOM, and XiangShan processors, the approach uncovered 17 bugs—14 of them previously unknown, with 7 assigned CVE identifiers—and achieved up to 73.22% multiplexer coverage, significantly outperforming conventional coverage-guided fuzzing techniques.

The Instruction Set Architecture (ISA) defines processor operations and serves as the interface between hardware and software. As an open ISA, RISC-V lowers the barriers to processor design and encourages widespread adoption, but also exposes processors to security risks such as functional bugs. Processor fuzzing is a powerful technique for automatically detecting these bugs. However, existing fuzzing methods suffer from two main limitations. First, their emphasis on redundant test case generation causes them to overlook cross-processor corner cases. Second, they rely too heavily on coverage guidance. Current coverage metrics are biased and inefficient, and become ineffective once coverage growth plateaus. To overcome these limitations, we propose SimFuzz, a fuzzing framework that constructs a high-quality seed corpus from historical bug-triggering inputs and employs similarity-guided, block-level mutation to efficiently explore the processor input space. By introducing instruction similarity, SimFuzz expands the input space around seeds while preserving control-flow structure, enabling deeper exploration without relying on coverage feedback. We evaluate SimFuzz on three widely used open-source RISC-V processors: Rocket, BOOM, and XiangShan, and discover 17 bugs in total, including 14 previously unknown issues, 7 of which have been assigned CVE identifiers. These bugs affect the decode and memory units, cause instruction and data errors, and can lead to kernel instability or system crashes. Experimental results show that SimFuzz achieves up to 73.22% multiplexer coverage on the high-quality seed corpus. Our findings highlight critical security bugs in mainstream RISC-V processors and offer actionable insights for improving functional verification.